Single Sign-On with JWT

If your app has a manage URL or if your element uses external settings, then we authenticate the user using JSON Web Tokens (JWT). Parameters that identify the user, as well as an iat (Issued At timestamp - i.e. the time the token was generated), the user's language, and the jti (a unique JWT token ID to prevent replay attacks), are injected as a token into the URL.

NOTE: Weebly automatically appends the JWT string to the end of the URL, including any necessary operands (like ? and &). If you want the JWT to be placed in a specific part of the URL, you can use :jwt, and Weebly will replace that with the JWT (without adding any operands - you'll need to include those).

JWT tokens are encoded using the HS256 algorithm. Our implementation follows the standard as specified in theJSON Web Tokenspec.

You decode the token by including a JWT library and using your Secret (found on your app’s admin page in the Developer Admin portal). For example, if you've included theFirebase PHP JWT library you decode the token with the following PHP code:

Decode the Token in PHP

These are the fields that the token contains:

user_id

site_id

callback_url

iat (the timestamp)

jti (the token ID)

There are many client libraries for JWT, you can find them at http://jwt.io/. That site also includes a fiddle, where you can test out your decoding.

If you need general help with your Weebly account, please contact our Support Team here: hc.weebly.com